sargx digital garden

ISO 27001

3 min read

http://www.klaushaller.net/?page_id=552

https://www.riskcrew.com/2022/07/iso-27001-documentation-whats-required-and-whats-optional/

Practical Documentation Hands-on (build)

https://www.youtube.com/playlist?list=PLCHmT3D9hgL5YKT1XIkHd9OY6co_sKYTQ

Two Main Conclusions on ISO 27001, and Development and Testing:

  1. Development, testing, and change management require clear written information security policies.
  2. The organization must enforce the policies in all projects and have evidence.

Specifically, when it comes to ISO-27001 certification, we needed to follow the general process:

  1. Document the processes you perform to achieve compliance
  2. Prove that the processes convincingly address the compliance objectives
  3. Provide evidence that you are following the process
  4. Document any deviations or exceptions

To help you meet the ISO 27001 internal audit requirements, we have developed a five-step checklist that organisations of any size can follow.

1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation required during the audit.

2) Management review

The management review is where the audit activity begins to take shape

Before creating a detailed audit plan, you should liaise with management to agree on the timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.

3) Field review

The field review is what you might think of as the ‘audit proper’. At this stage, the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports documenting the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.

5) Report

You will need to present the audit’s findings to management. Your ISO 27001 internal audit report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings, conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed because the final report typically involves management committing to an action plan.

https://www.itgovernance.co.uk/blog/how-to-conduct-an-iso-27001-internal-audit

🌱 Back to Garden

Graph View

Backlinks